Does this .htaccess security setting really work?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
1
down vote

favorite












What does this .htaccess do?



Am I correct in thinking that all it does is prevent automatic brute force attacks?



So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php



Am I correct?



Here's the .htaccess rule:



<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %REQUEST_METHOD POST
RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %REQUEST_URI ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>









share|improve this question



























    up vote
    1
    down vote

    favorite












    What does this .htaccess do?



    Am I correct in thinking that all it does is prevent automatic brute force attacks?



    So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php



    Am I correct?



    Here's the .htaccess rule:



    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %REQUEST_METHOD POST
    RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
    RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
    RewriteCond %REQUEST_URI ^(.*)?wp-admin$
    RewriteRule ^(.*)$ - [F]
    </IfModule>









    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      What does this .htaccess do?



      Am I correct in thinking that all it does is prevent automatic brute force attacks?



      So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php



      Am I correct?



      Here's the .htaccess rule:



      <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %REQUEST_METHOD POST
      RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
      RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
      RewriteCond %REQUEST_URI ^(.*)?wp-admin$
      RewriteRule ^(.*)$ - [F]
      </IfModule>









      share|improve this question













      What does this .htaccess do?



      Am I correct in thinking that all it does is prevent automatic brute force attacks?



      So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php



      Am I correct?



      Here's the .htaccess rule:



      <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %REQUEST_METHOD POST
      RewriteCond %HTTP_REFERER !^https://(.*)?my-domain.com [NC]
      RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
      RewriteCond %REQUEST_URI ^(.*)?wp-admin$
      RewriteRule ^(.*)$ - [F]
      </IfModule>






      htaccess






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 3 hours ago









      henry

      3721210




      3721210




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          1
          down vote













          It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.



          When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.



          This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.






          share|improve this answer



























            up vote
            1
            down vote













            You Are Partly Correct



            Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.



            Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.



            You could go one step further if you have a static IP by using the following code:



            RewriteEngine on 
            RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
            RewriteCond %REQUEST_URI ^(.*)?wp-admin$
            RewriteCond %REMOTE_ADDR!^111.111.111.111$
            RewriteRule ^(.*)$ - [R=403,L]


            *Replace with your static IP address.



            *Might not work if your site is behind a DNS service such as CloudFlare.






            share|improve this answer






















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "110"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f316646%2fdoes-this-htaccess-security-setting-really-work%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              1
              down vote













              It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.



              When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.



              This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.






              share|improve this answer
























                up vote
                1
                down vote













                It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.



                When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.



                This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.






                share|improve this answer






















                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.



                  When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.



                  This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.






                  share|improve this answer












                  It appears to prevent any POST requests to wp-login.php that aren't made from a page on my-domain.com.



                  When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.



                  This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it's not actually all that helpful.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 1 hour ago









                  Jacob Peattie

                  13.1k41726




                  13.1k41726






















                      up vote
                      1
                      down vote













                      You Are Partly Correct



                      Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.



                      Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.



                      You could go one step further if you have a static IP by using the following code:



                      RewriteEngine on 
                      RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
                      RewriteCond %REQUEST_URI ^(.*)?wp-admin$
                      RewriteCond %REMOTE_ADDR!^111.111.111.111$
                      RewriteRule ^(.*)$ - [R=403,L]


                      *Replace with your static IP address.



                      *Might not work if your site is behind a DNS service such as CloudFlare.






                      share|improve this answer


























                        up vote
                        1
                        down vote













                        You Are Partly Correct



                        Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.



                        Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.



                        You could go one step further if you have a static IP by using the following code:



                        RewriteEngine on 
                        RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
                        RewriteCond %REQUEST_URI ^(.*)?wp-admin$
                        RewriteCond %REMOTE_ADDR!^111.111.111.111$
                        RewriteRule ^(.*)$ - [R=403,L]


                        *Replace with your static IP address.



                        *Might not work if your site is behind a DNS service such as CloudFlare.






                        share|improve this answer
























                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          You Are Partly Correct



                          Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.



                          Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.



                          You could go one step further if you have a static IP by using the following code:



                          RewriteEngine on 
                          RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
                          RewriteCond %REQUEST_URI ^(.*)?wp-admin$
                          RewriteCond %REMOTE_ADDR!^111.111.111.111$
                          RewriteRule ^(.*)$ - [R=403,L]


                          *Replace with your static IP address.



                          *Might not work if your site is behind a DNS service such as CloudFlare.






                          share|improve this answer














                          You Are Partly Correct



                          Your above code helps protects your WordPress site by only allowing login requests that come directly from your domain.



                          Most brute force attacks send POST requests directly to your wp-login.php script. So requiring a POST request to have your domain as the referrer helps stop these bots.



                          You could go one step further if you have a static IP by using the following code:



                          RewriteEngine on 
                          RewriteCond %REQUEST_URI ^(.*)?wp-login.php(.*)$ [OR]
                          RewriteCond %REQUEST_URI ^(.*)?wp-admin$
                          RewriteCond %REMOTE_ADDR!^111.111.111.111$
                          RewriteRule ^(.*)$ - [R=403,L]


                          *Replace with your static IP address.



                          *Might not work if your site is behind a DNS service such as CloudFlare.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited 1 hour ago

























                          answered 1 hour ago









                          Invariant Change

                          23515




                          23515



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f316646%2fdoes-this-htaccess-security-setting-really-work%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Comments

                              Popular posts from this blog

                              What does second last employer means? [closed]

                              Installing NextGIS Connect into QGIS 3?

                              One-line joke